Description
Affected versions of jquery interpret text/javascript responses from cross-origin ajax requests, and automatically execute the contents in jQuery.globalEval, even when the ajax request doesn’t contain the dataType option.
Recommendation
Update the jquery package to the latest compatible version. Followings are version details:
Affected version(s): **>= 1.12.3, < 3.0.0 < 1.12.2** Patched version(s): **3.0.0 1.12.2**
References
- GHSA-rmxg-73gg-4p98
- access.redhat.com
- ics-cert.us-cert.gov
- kb.pulsesecure.net
- lists.apache.org
- seclists.org
- security.netapp.com
- snyk.io
- sw.aveva.com
- www.oracle.com
- www.tenable.com
- lists.opensuse.org
- packetstormsecurity.com
- security.snyk.io
- web.archive.org
- CVE-2015-9251
- CWE-79
- CAPEC-310
- OWASP 2021-A3
- OWASP 2021-A6
Related Issues
- jQuery vulnerable to Cross-Site Scripting (XSS) - CVE-2011-4969
- Stored Cross-site Scripting (XSS) in excalidraw's web embed component - CVE-2024-32472
- Vega Cross-Site Scripting (XSS) via expressions abusing toString calls in environments using the VEGA_DEBUG global varia - CVE-2025-59840
- ghtml Cross-Site Scripting (XSS) vulnerability - CVE-2024-37166
- Tags:
- npm
- jquery
Anything's wrong? Let us know Last updated on September 25, 2023